Security for web services in 9.0.3?

Hello all,
With regular Java Class Web Services, how do you declare logical security roles? Also, how do you declare method-level permissions based on those roles? Lastly, how about the security role mappings?
I am looking at http://otn.oracle.com/docs/products/ias/doc_library/903doc_otn/generic.903/a97681/security.htm
However, it does not mention anything about web services. Any help would be appreciated!
Thanks,
James

I am not sure it is possible to do what you want to do ... here are the two approaches you have:
1. When you publish a class the Web services publisher (either JDev or the Web Services Assembler tool), lets you wrap the class with an interface which becomes the available methods to the outside world. This is your first level of restriction regardless of authentication or authorization.
2. Then I can use constructs in the web.xml to map users of a specific URL pattern. Here, for example, is a sample for a class mypackage1.Class1 and its web.xml with BASIC authentication:
<web-app>
<description></description>
<servlet>
<servlet-name>mypackage1.Class1</servlet-name>
<servlet-class>oracle.j2ee.ws.StatelessJavaRpcWebService</servlet-class>
<init-param>
<param-name>class-name</param-name>
<param-value>mypackage1.Class1</param-value>
</init-param>
<init-param>
<param-name>interface-name</param-name>
<param-value>mypackage1.IClass1</param-value>
</init-param>
</servlet>
<servlet-mapping>
<servlet-name>mypackage1.Class1</servlet-name>
<url-pattern>/mypackage1.Class1</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>ws</web-resource-name>
<url-pattern>/mypackage1.Class1</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>BasicRole</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>Enter a valid user</realm-name>
</login-config>
<security-role>
<role-name>BasicRole</role-name>
</security-role>
</web-app>
The crux of this method is the URL pattern ... once I match the URL pattern I will be subject to the security.
I also have to map from the orion-web.xml to the underlying authentication mechanism - here for example in the following I just use the default principals.xml, rather than working into JAAS and Oracle Internet Directory, where the users of BasicGroup might actually be defined:
<orion-web-app>
<security-role-mapping name="BasicRole">
<group name="BasicGroup"/>
</security-role-mapping>
</orion-web-app>
As the method is actually defined, assuming RPC, in the SOAP message that is posted, the URL pattern will not capture method level invocations.
Not sure this is what you are after but perhaps when you respond I will better understand where you want to go - the bottom line is that the Web services security is simply leveraging the Servlet model; it doesn't have method level security as say, for example, the underlying EJB model does.
Hope this helps.
Mike.

Similar Messages

  • An interview on security for Web services

    In a recent interview with SDN, Sun technical product manager Sidharth Mishra answers these questions: What are web services and why are the data they transmit highly insecure? How do you protect the data interactions? What role does OpenSSO play?
    See the related article at http://developers.sun.com/identity/reference/techart/webservices.html.

    In a recent interview with SDN, Sun technical product manager Sidharth Mishra answers these questions: What are web services and why are the data they transmit highly insecure? How do you protect the data interactions? What role does OpenSSO play?
    See the related article at http://developers.sun.com/identity/reference/techart/webservices.html.

  • Custom Token For web services security

    How can I implement a token based security for web services? I will return a
    custom token which contains a session-id among others after a JAAS
    authnetication. I want to pass this token for every web service invokation.
    I want the serverside EJB methods to be authorized based the roles in token.
    Any ideas or pointers on the possible solutions?
    Thanks,
    Vish

    How can I implement a token based security for web services? I will return a
    custom token which contains a session-id among others after a JAAS
    authnetication. I want to pass this token for every web service invokation.
    I want the serverside EJB methods to be authorized based the roles in token.
    Any ideas or pointers on the possible solutions?
    Thanks,
    Vish

  • Exception while accessing web service secure through web services Manager

    Hi All,
    I deployed sime Hello World web service on JWSDP1.6 and secure it through web service manager(gateway) using Certificate based security.But when I try to access this web service using JWSDP client,I got the following Error while monitoring the soap messages through TCP-Monitor:
    /////////////////////////////////Request///////////////////////////////////////////////////////////////
    POST /gateway/services/SID0003009 HTTP/1.1
    Content-Type: text/xml; charset=utf-8
    Accept: text/xml, text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
    Content-Length: 5631
    SOAPAction: ""
    User-Agent: Java/1.5.0_05
    Host: ivy.cs.ucl.ac.uk:8082
    Connection: keep-alive
    <?xml version="1.0" encoding="UTF-8"?><env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns0="http://hello.org/wsdl" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/"><env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1"><xenc:EncryptedKey xmlns:xenc="http://www.w3.org/2001/04/xmlenc#"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5"/><ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <wsse:SecurityTokenReference>
    <wsse:KeyIdentifier EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentifier">eN9famBBWzHNUIwWRhMPktcM+VQ=</wsse:KeyIdentifier>
    </wsse:SecurityTokenReference>
    </ds:KeyInfo><xenc:CipherData><xenc:CipherValue>MHjtgA4wOtvI1B+SuRVEmD07yE+jl6axd4XbJ0nvQ3EzSuVVoST9vHzURh+B47yj41187s8T+yjt
    Bmpk9OB278Jghonkacv6r+q+LVlxRrQDudNGir7plzFeM6bUadMxf+FLgn5O0a44vU/tvy6V9+zi
    yqFdhTvS21No/aW62No=</xenc:CipherValue></xenc:CipherData><xenc:ReferenceList><xenc:DataReference URI="#XWSSGID-1155126003241-1198323932"/></xenc:ReferenceList></xenc:EncryptedKey><wsse:BinarySecurityToken xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3" wsu:Id="XWSSGID-11551260018331598979688">MIIC3TCCAkagAwIBAgIBATANBgkqhkiG9w0BAQQFADBJMQswCQYDVQQGEwJVUzEMMAoGA1UECBMD
    U0NBMQwwCgYDVQQKEwNTVU4xHjAcBgNVBAMTFWNlcnRpZmljYXRlLWF1dGhvcml0eTAeFw0wNjAz
    MTkxMzQ5MDJaFw0xNjAzMTYxMzQ5MDJaMEcxCzAJBgNVBAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAK
    BgNVBAoTA1NVTjEcMBoGA1UEAxMTeHdzLXNlY3VyaXR5LWNsaWVudDCBnzANBgkqhkiG9w0BAQEF
    AAOBjQAwgYkCgYEAzNDPKUz1MhUH1LsrLqXKxciOKSWeTrdoe/SVwe/4uy5eobAWSsSTposaOYFy
    uxf3cGCCIs7u0jMAXLQ9jzobDbt9XQ4tXPoBzKKzS+yU6hDk2TcOCkioeT9A9db5LF8yevhwXKB4
    AJ1Eh//Dp/djoonXCCxsxupQZp3ueRJrR98CAwEAAaOB1jCB0zAJBgNVHRMEAjAAMCwGCWCGSAGG
    +EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUECH05VC3/WGW
    H4AGD6tnH0h+kFUweQYDVR0jBHIwcIAUdry1wGRZ2fyJSKisVSxpMEmIiaahTaRLMEkxCzAJBgNV
    BAYTAlVTMQwwCgYDVQQIEwNTQ0ExDDAKBgNVBAoTA1NVTjEeMBwGA1UEAxMVY2VydGlmaWNhdGUt
    YXV0aG9yaXR5ggkA4HaEvd6hq8YwDQYJKoZIhvcNAQEEBQADgYEA0RhOk67pCrO6MgZZGqrmAMW6
    76fZowBxTKlFq88nrf8v1MUxV8H9wgbTDrwR0HtxY3TGpDFw2tNAww2pyDX/pQ2Wt46ichluGxjf
    aEV53loKTOM7syAmlicWqViGzBfgzriIl918TzFaX9BD/Y55bKZQk057maBCSkUuFfF453s=</wsse:BinarySecurityToken><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><InclusiveNamespaces xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="wsse enc env ns0 xsd xsi"/></ds:CanonicalizationMethod><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#XWSSGID-1155126002593447652186"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>UJ1kuwI+WuF/RkrQpZrj1GvraLI=</ds:DigestValue></ds:Reference><ds:Reference URI="#XWSSGID-1155126002602761294100"><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>sKG/z5OIGgqJ2nw7JtpXyJzr8pY=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>SBc65VTG1xpEkRUTz70H0fVGIgoBJ0QnNad0k07RMSfw4vG1WHJdt19R05pO2AvU5aoYuBSaguJe
    ZGEjmWzw8mnSWKBi+zeDMeJiwgqwW6HHHX9P7JDslxuTIqoJIVUbSjUTSVz6ww8siIK65quXdkMT
    ZzLfp7Cd0gBuA3EEZpg=</ds:SignatureValue><ds:KeyInfo><wsse:SecurityTokenReference xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-11551260025411896275738">
    <wsse:Reference URI="#XWSSGID-11551260018331598979688" ValueType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509v3"/>
    </wsse:SecurityTokenReference></ds:KeyInfo></ds:Signature><wsu:Timestamp xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002602761294100"><wsu:Created>2006-08-09T12:20:02Z</wsu:Created><wsu:Expires>2006-08-09T12:20:07Z</wsu:Expires></wsu:Timestamp></wsse:Security></env:Header><env:Body xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd" wsu:Id="XWSSGID-1155126002593447652186"><xenc:EncryptedData xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" Id="XWSSGID-1155126003241-1198323932" Type="http://www.w3.org/2001/04/xmlenc#Content"><xenc:EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/><xenc:CipherData><xenc:CipherValue>XNqEzHNp47ILtOagAUNCXYkxOCWv4CjHqmZ7j6VKN/NO96ce4BsNSL6lKzqa9dPxHB1sTVGZQ8KA
    COQ6DGwyWCP8ip+CU2hor3uUAml7nzHTx1LUw3Db+0p31VAT3EqKJA3aFy38GQrBTr9ojMOUA6tm
    Cj71yucN3UCKRUl3RpE8qU68y7AwNxPsyAZeSa2AVm2cmWvSDZlxgMsx+JCEZaf3+D0o1zMp0Fxb
    MSISPt/JrEolt1H5UM1AoFGU4QkckWrQNLPyEF9oxEgZ8oCE5U8v/YJwZIAHFrx67XfaLwQLjzXw
    VPigsH9gLkfbP2BU8Vp31GsPwBZtUeNz9S35+CZPD7EiqoAB1QuAxZkJV7n00VChYH+scT64tNja
    c81bcD8tf4sAr7toCMNDAU6+74+Qy0EyPqgwLtotDxErn4kF8e72cONMMQBQ91tQs+iI+D6C1I6+
    f9UiSfgtm/MTuKQK1CRqarEtI9N6lpqVH8k7ulUwH/jFstihxmhMJ3aZY+qQgSwSs3pwSSim+e18
    eR7dOEq4vG8ivKuGvTDO4sSV2RP/nL/3eXr0y7eM0kMFKwTUA4JqL4Y/l8Bo/rie/ZXkkbF6hwEu
    dX1QmB0gf5k=</xenc:CipherValue></xenc:CipherData></xenc:EncryptedData></env:Body></env:Envelope>
    ////////////////////////////////Response///////////////////////////////////////////////////////////////
    HTTP/1.1 100 Continue
    Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
    Date: Wed, 09 Aug 2006 12:28:47 GMT
    HTTP/1.1 500 Internal Server Error
    Date: Wed, 09 Aug 2006 12:28:47 GMT
    Server: Oracle Application Server Containers for J2EE 10g (10.1.2.0.0)
    Connection: Keep-Alive
    Keep-Alive: timeout=15, max=100
    Content-Type: text/xml
    Transfer-Encoding: chunked
    157
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    0
    So basically, what I am doing here as follows:
    HelloClient(using JWSPD1.6)->gateway(web service manager for securing the web service using message level security through certificate )->helloservice(deployed using JWSDP1.6)
    I would appreciate if someone could tell me the cause of this errror.Thanks.
    Kashif

    time to look into the gateway logs as stated by the fault ..
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode xmlns:p="http://schemas.oblix.com/ws/2003/08/Faults">c</faultcode><faultstring>Step execution failed with an exception</faultstring><detail></detail></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    looks like the cipher step might have failed

  • Security in Web services

    I am new to web services so please pardon me if what I am asking is really dumb.....
    I have created a simple PL/SQL web service using JDeveloper that I have published to an installation of 9iAS. My client is calling this URL directly passing the parameters in the URL and getting the SOAP message back. Everything works great.
    Now I need to secure this somehow. This is an internal application, so I am not terribly concerned with security, but we do need something that will prevent somebody who stumbles across this URL to start using it.
    I have read a lot of documentation on securing web services, but it all seems to be around creating clients, but I don't want a client, I just want to be able to call the URL directly from external systems programmatically.
    One option is obviously to pass username / pw in as parameters and then validate this in PL/SQL, but this is obviously not very secure.
    Another things I was thinking was to use the owa_util.get_cgi_env('REMOTE_ADDR') inside by PL?SQL function to get the IP Address of the client calling and then validate this to make sure this client is allowed to access the web service. This function returns ORA-06502. Does anybody know anything about how to get the IP address of the client calling? I know there are ways to limit access to certain IP addresses on the web server level, but this server is used for other things so I don’t want to do that.
    Is there anything else I can do to secure a web service like this?
    Any help is appreciated.

    More reading and code sample (see end of this post) of what is coming and what is possible today:
    http://www.oracle.com/oramag/oracle/02-jul/index.html?o42special_web.html
    http://otn.oracle.com/oramag/webcolumns/2003/techarticles/smith_wss.html
    This article from Vipin Samar gives the state of WS-Security pretty accurately:
    http://otn.oracle.com/tech/webservices/standards/Samar_Security.htm
    Accompanying paper:
    http://otn.oracle.com/tech/webservices/pdf/33206.pdf
    And, this code sample/tutorial illustrates SSL with Web services:
    http://otn.oracle.com/sample_code/tutorials/wspki/toc.htm
    Mike.

  • Security of Web Services, Agents and Sequantial Calling of Web Services

    I want to ask about the secure invocation of web services and the role of agents.
    Suppose that I have greet() web service:
    public String greet() {
    String S1=sayHello(); // A web service, actually its proxy
    String S2=sayGoodMorning(); // A web service, actually its proxy
    return S1+" "+S2;
    It calls two other webservices and they return "HELLO" and "Good Morning". Also assume that I need to secure all my web services but I need these calls to work!
    I put an agent in front of those two web services and require them to check a SAML token. I also attach an agent to greet() to authenticate the inbound and sign and add SAML token for outbound.
    But I think these two calls fail because the SAML is not created on each call. (Is it?)
    How can I make those two calls, secure each web service and at the same time keep the security code out of business code, in other words keep my web service security agnostic?
    Thank you in advance.
    Best Regards
    Farbod

    Any Comments on this?

  • Use of security in web service

    Hi,
    I have tried to use security from the example jaas-sample of jwsdp 1.5 .
    I just want to secure my web service with a username/password.
    When I called my service from the client...I see the xml flow :
    <?xml version="1.0" encoding="UTF-8"?>
    <env:Envelope xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:enc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" env:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
    <env:Header>
    <wsse:Security xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" env:mustUnderstand="1">
    <wsse:UsernameToken>
    <wsse:Username>Ron</wsse:Username>
    <wsse:Password>****</wsse:Password>
    <wsse:Nonce EncodingType="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary">3k18Sv+DMhcO3aoq6YWLB4xa</wsse:Nonce>
    <wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2005-03-01T15:26:05Z</wsu:Created>
    </wsse:UsernameToken>
    </wsse:Security>
    </env:Header>
    <env:Body>
    <ns0:getInformations/>
    </env:Body>
    </env:Envelope>
    it seems to be correct but I have an exception :
    Thread : main at 01 mars 2005 16:10:06,593 ERROR Error occured during retrieving informations
    java.rmi.ServerException: JAXRPCSERVLET28 : Informations sur le port manquant
         at com.sun.xml.rpc.client.StreamingSender._raiseFault(StreamingSender.java:497)
         at com.sun.xml.rpc.client.StreamingSender._send(StreamingSender.java:294)
    It works when I not use the security option (in wscompile) ...
    Have you any idea for a solution?

    Hi,
    I tried the xws-security samples and everything worked fine.
    After editing the "java.security" according to the manual with:
    security.provider.2=org.bouncycastle.jce.provider.BouncyCastleProvider
    After that change and a restart of the application server I get the same error message.
    I copied the jar file "bcprov-jdk14-127.jar" from bouncycastle to the jre/lib/ext folder.
    I will check further.
    br
    Dieter

  • Secured Sybase Web Service with outside certificate authority

    Hello,
    I would like to use Secured Sybase Web Service with outside certificate authority, like Symantec. Could you let me know how I can create CSR for sending to Symantec? What other steps do I need to do?
    Thanks,
    Sudarat.

    Hello Jason,
    Thanks for your reply. The certificate authority require the CSR file before issue a signed certificate. If this is a signed certificate for IIS web server, I can create CSR from IIS. But I cannot use a signed certificate created from CSR of IIS with Sybase Web Service. The below steps are what I have tried.
    1. I use CreateCert.exe with /r parameter to create CSR and private key.
    2. I sent CSR to a certificate authority and they send back a signed certificate.
    3. I have to combine a signed certificate from #2 with private key created from #1. Then use that file to specify with -xs{https …when starting the service.
    Are the above steps what I have to do?  If so, do I need to redistribute createcert.exe to my customers who want to use my application and how? Why I cannot use the signed certificate created from CSR of IIS?
    Thanks,
    Sudarat.

  • Implementing Security in web services developed using JAX WS approach

    Hi ,
    Our Organization has developed a Web service using JAX WS approach exposing EJB as EndPoint .This wsdl file URL is only used by third party companies that register with us (Means i want to say that this wsdl url is not world wide accessable).
    Now we need to implement security for this service , please tell me what is the appropiate for doing so ??
    Thank you in advance .
    Waiting for your valuable suggestions .
    Please help .

    You can implement message level security in many ways. Some of the ways are
    SAML
    Digital certificates etc
    You may have to work with your vendor specific API to achieve this. Take a look at one case study.
    http://www.ibm.com/developerworks/webservices/library/ws-security.html
    You will find lot of articles on google to implement message level security however my recommendation would be to get in touch with security expert.

  • Unable to call WSS (WS-Security) enabled Web Service using UTL_DBWS

    We are attempting to call a WSS (WS-Security) enabled Web Service from PL/SQL using the UTL_DBWS package (see [http://download.oracle.com/docs/cd/B19306_01/appdev.102/b14258/u_dbws.htm#CHDIDGJH] ). We are doing this in similar fashion to [http://www.oracle-base.com/articles/10g/utl_dbws10g.php] with calls to utl_dbws.create_service, utl_dbws.create_call and utl_dbws.invoke.
    Using this method we can successfully call an unsecured Web Service, but calls to WSS-enabled Web Services fail. We are currently using Oracle Database 10.2.0.3.
    The failure we are getting is:
    ORA-29532: Java call terminated by uncaught Java exception: javax.xml.rpc.soap.SOAPFaultException:
    com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
    policy ( AuthenticationTokenPolicy(S) ): No Security Header found;nested
    exception is com.sun.xml.wss.XWSSecurityException:
    com.sun.xml.wss.XWSSecurityException: Message does not conform to configured
    policy ( AuthenticationTokenPlicy(S) ): No Security Header found
    Apparently UTL_DBWS does not support calling WSS enabled services, although this doesn't appear to be an officially recognised position. Does anyone know if Oracle are planning to support this soon (if ever)? Looking at Re: Calling WS from PL/SQL using WS-security suggests that support has been considered before, but not yet realised.
    Thanks,
    Tom

    Having raised a Service Request with Oracle support on this, I got the following response from Oracle Development (On unpublished bug [8542959|https://metalink2.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=BUG&p_id=8542959]):
    Development has confirmed that WS-Security is not supported through UTL_DBWS. They have also acknowledged that this is not documented and they will change the official Oracle documentation will reflect this fact. From what is being stated, it would appear that there is no plan to support the use of WS-Security through UTL_DBWS in any release in the near future.
    So, in short, without developing your own home-grown SOAP request, there is no way to call a WSS enabled web service from within PL/SQL.
    -Tom

  • Re: Why doesn't WL7.0 support get/post bindings for web services ...

    hi!!!
    Could you pls point to any code example.
    thanks
    Pushpa
    "Richard Berger" <[email protected]> wrote:
    >
    Manoj: Thanks for the answer - do you have or can you point me at any
    code samples
    that accomplish this? (Yes, .NET is limited to strings/ints in their
    get/post
    bindings).
    Thanks so much!
    RB
    PS - Also, can you explain any apparent discrepancy between your answer
    and what
    the WL documentation stated (again, it may be my misunderstanding).
    "manoj cheenath" <[email protected]> wrote:
    WL 7.0 does allow you to access the web service through
    the browser. It even allows you to invoke service methods
    with complex type arguments (.Net only supports primitive
    types) and also to view the request and response soap
    message for the invocation.
    regards,
    -manoj
    "Richard Berger" <[email protected]> wrote in message
    news:[email protected]...
    This might be a naive question, but according to the documentation,WL 7.0
    does
    not support http post/get bindings for web services. Thus, for meto
    access a
    web service, I need to write a "middle tier" of some sort (I used
    the
    automatically
    generated Java proxy code and JSP). All works fine, but it seems
    like
    it
    would
    sure be nice to have HTML forms access web services without havingto
    write a
    middle tier.
    NET does this and it is extremely useful - is there a reason that
    BEA
    chose not
    to provide this feature? (e.g. is it architecturally unsound in anyway?
    or is
    there an easy way to simulate it?). Given some of the Web Workshoppositioning
    re: ease of use and .NET comparison, this seems like an omission.
    Any insights are greatly appreciated.
    Enjoy,
    RB
    PS - Here's the info from the documentation
    Web Services Description Language (WSDL) 1.1 Specification
    WSDL is an XML-based language that describes Web services. WSDL definesWeb services
    as a set of endpoints operating on messages; these message containeither
    message-style
    or RPC-style information. The operations and messages are describedabstractly
    in WSDL, and then bound to a concrete network protocol and messageformat
    to define
    an endpoint. Related concrete endpoints are combined into abstractendpoints (services).
    WSDL is extensible to allow the description of endpoints and theirassociated
    messages regardless of what message formats or network protocols areused
    to communicate,
    however, the only bindings described in the specification describehow to
    use
    WSDL in conjunction with SOAP 1.1, HTTP GET/POST, and MIME.
    Note: WebLogic Server supports only SOAP 1.1 bindings.
    The WSDL 1.1 Specification is available at http://www.w3.org/TR/wsdl.

    This isn't a straight FORM Post as in the http binding support in WSDL. It posts
    a soap message.
    It's apparent that Workshop supports form-post and form-get.
    But I dont see how it is done with straight WebLogic webservices. Does WebLogic
    server read the web-services.xml or the WSDL file? I dont see a way to put in
    http-post binding in the former and in the latter it seems to be ignored.
    Can someone clarify.
    Thanks.
    Chu-chi
    "manoj cheenath" <[email protected]> wrote:
    Here is a live example:
    http://65.193.192.35:7001/base/SoapInteropBaseService
    Here is an example that you can download:
    http://manojc.com/?sample2
    This is how you run it:
    http://manojc.com/?tutorial/doc/howtorun.html
    More info can be found from the edocs:
    7.0:
    http://edocs.bea.com/wls/docs70/webserv/index.html
    8.1:
    http://edocs.bea.com/wls/docs81/webserv/index.html
    Regards,
    -manoj
    http://manojc.com
    "pushpa krishna" <[email protected]> wrote in message
    news:[email protected]...
    hi!!!
    Could you pls point to any code example.
    thanks
    Pushpa
    "Richard Berger" <[email protected]> wrote:
    Manoj: Thanks for the answer - do you have or can you point me at
    any
    code samples
    that accomplish this? (Yes, .NET is limited to strings/ints in their
    get/post
    bindings).
    Thanks so much!
    RB
    PS - Also, can you explain any apparent discrepancy between your answer
    and what
    the WL documentation stated (again, it may be my misunderstanding).
    "manoj cheenath" <[email protected]> wrote:
    WL 7.0 does allow you to access the web service through
    the browser. It even allows you to invoke service methods
    with complex type arguments (.Net only supports primitive
    types) and also to view the request and response soap
    message for the invocation.
    regards,
    -manoj
    "Richard Berger" <[email protected]> wrote in message
    news:[email protected]...
    This might be a naive question, but according to the documentation,WL 7.0
    does
    not support http post/get bindings for web services. Thus, for
    me
    to
    access a
    web service, I need to write a "middle tier" of some sort (I used
    the
    automatically
    generated Java proxy code and JSP). All works fine, but it seems
    like
    it
    would
    sure be nice to have HTML forms access web services without havingto
    write a
    middle tier.
    NET does this and it is extremely useful - is there a reason that
    BEA
    chose not
    to provide this feature? (e.g. is it architecturally unsound in
    any
    way?
    or is
    there an easy way to simulate it?). Given some of the Web Workshoppositioning
    re: ease of use and .NET comparison, this seems like an omission.
    Any insights are greatly appreciated.
    Enjoy,
    RB
    PS - Here's the info from the documentation
    Web Services Description Language (WSDL) 1.1 Specification
    WSDL is an XML-based language that describes Web services. WSDL
    defines
    Web services
    as a set of endpoints operating on messages; these message containeither
    message-style
    or RPC-style information. The operations and messages are describedabstractly
    in WSDL, and then bound to a concrete network protocol and messageformat
    to define
    an endpoint. Related concrete endpoints are combined into abstractendpoints (services).
    WSDL is extensible to allow the description of endpoints and theirassociated
    messages regardless of what message formats or network protocols
    are
    used
    to communicate,
    however, the only bindings described in the specification describehow to
    use
    WSDL in conjunction with SOAP 1.1, HTTP GET/POST, and MIME.
    Note: WebLogic Server supports only SOAP 1.1 bindings.
    The WSDL 1.1 Specification is available at http://www.w3.org/TR/wsdl.

  • Why doesn't WL7.0 support get/post bindings for web services ...

    This might be a naive question, but according to the documentation, WL 7.0 does
    not support http post/get bindings for web services. Thus, for me to access a
    web service, I need to write a "middle tier" of some sort (I used the automatically
    generated Java proxy code and JSP). All works fine, but it seems like it would
    sure be nice to have HTML forms access web services without having to write a
    middle tier.
    .NET does this and it is extremely useful - is there a reason that BEA chose not
    to provide this feature? (e.g. is it architecturally unsound in any way? or is
    there an easy way to simulate it?). Given some of the Web Workshop positioning
    re: ease of use and .NET comparison, this seems like an omission.
    Any insights are greatly appreciated.
    Enjoy,
    RB
    PS - Here's the info from the documentation
    Web Services Description Language (WSDL) 1.1 Specification
    WSDL is an XML-based language that describes Web services. WSDL defines Web services
    as a set of endpoints operating on messages; these message contain either message-style
    or RPC-style information. The operations and messages are described abstractly
    in WSDL, and then bound to a concrete network protocol and message format to define
    an endpoint. Related concrete endpoints are combined into abstract endpoints (services).
    WSDL is extensible to allow the description of endpoints and their associated
    messages regardless of what message formats or network protocols are used to communicate,
    however, the only bindings described in the specification describe how to use
    WSDL in conjunction with SOAP 1.1, HTTP GET/POST, and MIME.
    Note: WebLogic Server supports only SOAP 1.1 bindings.
    The WSDL 1.1 Specification is available at http://www.w3.org/TR/wsdl.

    Manoj: Thanks for the answer - do you have or can you point me at any code samples
    that accomplish this? (Yes, .NET is limited to strings/ints in their get/post
    bindings).
    Thanks so much!
    RB
    PS - Also, can you explain any apparent discrepancy between your answer and what
    the WL documentation stated (again, it may be my misunderstanding).
    "manoj cheenath" <[email protected]> wrote:
    WL 7.0 does allow you to access the web service through
    the browser. It even allows you to invoke service methods
    with complex type arguments (.Net only supports primitive
    types) and also to view the request and response soap
    message for the invocation.
    regards,
    -manoj
    "Richard Berger" <[email protected]> wrote in message
    news:[email protected]...
    This might be a naive question, but according to the documentation,WL 7.0
    does
    not support http post/get bindings for web services. Thus, for meto
    access a
    web service, I need to write a "middle tier" of some sort (I used theautomatically
    generated Java proxy code and JSP). All works fine, but it seems likeit
    would
    sure be nice to have HTML forms access web services without havingto
    write a
    middle tier.
    NET does this and it is extremely useful - is there a reason that BEAchose not
    to provide this feature? (e.g. is it architecturally unsound in anyway?
    or is
    there an easy way to simulate it?). Given some of the Web Workshoppositioning
    re: ease of use and .NET comparison, this seems like an omission.
    Any insights are greatly appreciated.
    Enjoy,
    RB
    PS - Here's the info from the documentation
    Web Services Description Language (WSDL) 1.1 Specification
    WSDL is an XML-based language that describes Web services. WSDL definesWeb services
    as a set of endpoints operating on messages; these message containeither
    message-style
    or RPC-style information. The operations and messages are describedabstractly
    in WSDL, and then bound to a concrete network protocol and messageformat
    to define
    an endpoint. Related concrete endpoints are combined into abstractendpoints (services).
    WSDL is extensible to allow the description of endpoints and theirassociated
    messages regardless of what message formats or network protocols areused
    to communicate,
    however, the only bindings described in the specification describehow to
    use
    WSDL in conjunction with SOAP 1.1, HTTP GET/POST, and MIME.
    Note: WebLogic Server supports only SOAP 1.1 bindings.
    The WSDL 1.1 Specification is available at http://www.w3.org/TR/wsdl.

  • WSDL error during generation of  ABAP proxy for web service

    Hi friends,
    I am getting error during the generation of ABAP proxy object for web service developed in .NET .
    Error : Proxy generation terminated: WSDL error (<extension> not supported).
    How to make this WSDL file compatible  for  ABAP proxy.
    I have tried to edit WSDL file in XML Spy but did not get any option to replace/remove the tag <extention>.
    If any one worked on this. Please help me its urgent.
    Thanks and regards,
    Shivanand.

    HI ,
    I am having the same issue!!!
    Does ABAP Proxy Generation support <extension> ?
    Is there a list available of what is supported and what not (please consider I do not have access to sap notes)?
    Thanks

  • Best book for Web Services

    Can you suggest me what's best book for Web Services and XML to study? I'm planning to buy..
    Thanks in advance..

    Why does it need to be the best one? What would that even mean? Just buy something reputable, like an O'Reilly book, it's not going to be so horrifically poor that you can't learn from it

  • How to activate trace for web services

    Hi Experts,
    How to activate trace for web services in SOAMANAGER.
    We are not able to view the Payload trace of the error logs.
    Can anyone please let me know how to go about this???
    Regards,
    Ashwini

    Hi Ashwini,
    The thread below might be useful to you:
    [SOAMANAGER - Get the XML generated;
    Regards, Trevor

Maybe you are looking for

  • SharePoint Foundation 2013 - Multi-tenant Install and OneDrive for Business with Yammer i

    Hello, After installing SP Foundation 2013 (SP1) with Partitioned service applications we have noticed that while clicking on the "yammer and oneDrive" link the below error message comes up: _admin/yammerconfiguration.aspx any ideas?? http://technet.

  • Restrict printing on pdf

    Hi there, we're working with Adobe Designer 6.0 and we want prevent the user from printing. In the Layout Designer, there is a possibility to set permissions to the document, but if I activate the Form every settings are resetted. Any Information / N

  • Can't order replacement headphones because of location?

    I have an ipod shuffle whose retail apple headphones stopped working. From everything i've read about this, all i need to do is go through the order replacement parts proccess and i can get a new pair. However, when i try to do it, it keeps saying th

  • Bluetooth Treo 650 Sync now works

    I tried syncing my Palm Treo 650 with MBP 17" via Bluetooth since May with no success until the 10.4.7 update. I configured everything last month but connection failed due to " Port is already in use". So, after this update I tried connection vis Blu

  • I cant use my finger or pen on touchscreen.

    I can use my touchpad/mouse, but when i try to use my touchscreen to draw or other things with my finger or pen, it doesnt work. If I click outside the box/layer and drag into it, it will work. How can I fix this?  If it helps, I have a lenovo twist